lessons 5-9 Flashcards
Targeted attack
is when a threat actor chooses a target for a specific objective. The choice of the target is influenced by the perceived value of the outcome
Opportunistic attack
is when a threat actor takes advantage of a vulnerable target (not previously knowing them). the choice of target is generally influenced by work factors (Time effort and resources to accomplish a task)
Hacktivist
threat actor making a Political statement, generally talented. Funding variable
Organized crime (cyber criminals)
out to make money, well organized, well funded
Insiders | Shadow IT
someone at the organization that’s disgruntled
Script Kiddies
threat actor that does it for bragging rights or notoriety. Low level of sophistication
Hackers
financial gain, notoriety. Generally talented
NON-ADVERSARIAL THREATS
- Natural: natural occurrences such as earthquakes, floods, fire, pollutants, pandemics
- Operational: Loss of service like electricity, HVAC, technical issues, com, failure
- Human: Accidents, civil disturbances, work stoppages.
Threat Modeling
Is a structured process by which potential threats and threat actors can be identified, enumerated, and prioritized.
Asset-centric
What/why. Identifies valued assets and motivation
Architecture-centric
How. identifies system design components, strengths, and weaknesses.
Attacker-centric
Who- identifies the adversaries.
THREAT INTELLIGENCE
evidence-based knowledge about emerging threats that can be used to inform control decisions
OSINT - OPEN SOURCE INTELLIGENCE
is a term used to refer to the data collected from publicly available sources to be used in an intelligence context. OSINT framework is a structured collection of OSINT tools.
CISA
America’s cyber defense agency- resources, visit on a regular basis!
THREAT VECTOR
Also known as an attack vector is a potential pathway, or scenario that can be exploited
*Common threat vectors include: malicious emails in phishing attacks, weak or stolen passwords, drive-by download attacks, web applications, out of date applications or devices, and trusted relationships
attack surface
is the sum of all threat vectors.
DEFAULT CREDENTIALS
*Issue- initially set up by the vendor. Built-in admin username and password
*Impact- unauthorized access and compromise. Pathways to pivot to other devices- a quick Google search will usually reveal default credentials for a specific product.
*Causes- convenience, forgetfulness, laziness
*Response- change or disable the default credentials
WEAK PERMISSIONS
- Issue- are those that allow for unnecessary access (device, cloud, application)
- Impact- unauthorized access, access violations, privacy violations
- Causes- lack of understanding, poor classification, overconfidence.
- Response- documented policies and procedures. Management education, config. Management and standards
DATA EXFILTRATION
the unauthorized transfer of data from a computer or network, typically carried out by cyber attackers to steal sensitive information such as personal data, financial records, or intellectual property.
OPEN SOURCE PORTS
network ports that are actively listening for incoming connections and are accessible from outside the network.
* Issue- ports are those in listening mode
* Impact- exposure, potential exploit, unauthorized access, denial of service, integrity of device management
* Causes- poor or nonexistent config. Management, unrestricted permission to install a device or software
* Response- Config. Management, ongoing system hardening, account restrictions
UNSUPPORTED SYSTEMS & SOFTWARE
*Issue- 2 issues: unauthorized installation of devices/software OR end of life (EOL)/ end of support (EOS)
* Impact- exploits, compatibility issues, unauthorized access.
* Causes- lack of centralized control, and local admin privileges. Absence of refresh policies and lack of understanding.
* Response- refresh policies and standards, resource management, budget allocation
THIRD-PARTY THREAT VECTORS
include vendors, managed service providers (MSPs), business partners, consultants, and contractors that in some interact with our organization data
Fourth-parties
are vendors that third-party sources through- these manifest as risks to the organization
supply chain
an entire ecosystem or organizations, processes, people, and resources involved in providing a product or service
END OF LIFE
EOL: the date when the product, or service of subscription is determined to be obsolete.
END OF SUPPORT
EOS: the last date to receive applicable service and support
EOL | EOS RISKS
Why can’t we just keep using the hardware?
Adversaries will continue to identify and exploit vulnerabilities
Exposure to litigation for not upholding the standard or due care
Risk of downtime due to lack of support
Incompatibility with newer OS, applications, and hardware.
service level agreements (SLA)
a contract between a service provider and a customer that outlines the expected level of service, including specific performance standards and responsibilities.
SYSTEM SPRAWL
the uncontrolled growth and spread of IT systems and resources within an organization, making them difficult to manage and secure.
non conformance
a situation where products, processes, or services fail to meet specified standards, requirements, or regulations, resulting in deviations from expected quality or performance.
ISA
Information Sharing and Analysis. the sharing of information and analysis related to cybersecurity threats and vulnerabilities among organizations to improve the overall security posture of the supply chain.
Social Engineering
Is the action of exploiting human nature rather than technical hacking techniques to gain access to minds, systems, data or building
Pretexts
are fabricated stories or scenarios used to conceal the true purpose of an activity. Pretexts generally use enough truth to make them appear plausible.
Impersonation
is an act of pretending to be someone else.
Phishing-
pretexting and impersonation using email, casting a wide net. Spear phishing targets a specific group or individual, whaling targets high-profile individuals.
SMAshing
pretexting and impersonation using texts.
Vishing
pretexting and impersonation using voice
Watering Hole-
describes the exploitation of a website or social media app that is frequented by the target. (making fake profiles to target you on Facebook, and Instagram)
Shoulder Surfing
covert observation nearby or remote
Piggybacking/ Tailgating
when an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel
Dumpster diving
the act or going through trash for information
Baiting
the use of a gift for infiltration. (like a USB drive)
Disinformation-
false or misleading information spread on purpose to deceive.
Shallow fake
the alteration of media content using simple video editing software
Deep fake-
the use of machine learning and or AI to manipulate or generate deceptive audio or video content.
Ethical disclosure
is the practice of publishing information related to a vulnerability or finding. The purpose is to inform others of potential risks so they can make informed decisions and take appropriate action.
Full disclosure
is making all details public without regard to additional harm that may be caused to others including exploitation by adversaries.
Responsible disclosure
is making enough information known so that informed decisions can be made while not releasing details that could be useful to an adversary.
VULNERABILITY MANAGEMENT
the process of identifying, assessing, reporting, prioritizing,and mitigating vulnerabilities.
zero day (0-day) vulnerability
is a flaw in hardware or software that has been discovered but a fix is not yet available.
window of vulnerability (WoV)
The time from when an exploit first becomes active to when the number of vulnerable systems shrinks to an insignificant number
Escalation
access to a protected area
Buffer overflow
a buffer overflow is a type of software bug where a program writes more data to a block of memory, or buffer than it is supposed to hold, causing the excess data to overwrite adjacent memory. This can lead to crashes, data corruption, or give attackers a way to exploit the system.
Memory leak
when a program fails to release memory that is no longer needed, causing it to consume more and more memory over time. This can eventually slow down the system or cause it to run out of memory and crash.
Race condition
is a flaw that produces an unexpected result when the timing of actions impact other actions
Time-of- check- TOC
is when a program checks the state of a resource and then uses that info to make a decision.
Time-of-evaluation- TOE
is when a program relies on the timing of events concurrently or in a specific order
Time-of-use- TOU
is when the state of a resource changes between TOC and YOU often because of a concurrent thread.
Injection-
is the insertion of code or commands by exploiting input validation or processing mechanisms
Directory Traversal
the ability to access files and directories outside of the intended directory
Privileged escalation
gaining elevated access to resources that are normally protected from an application or a user.
Side-channel
a weakness in the physical properties of a device. Like power consumption or electromagnetic radiation that can be used to extract sensitive information.
Sideloading
installing and running software on a mobile device from a source other than the app store
Jailbreaking
bypassing the security restrictions on a mobile device to gain greater control and access to the device’s OS and files.
Indicators of Attacks (IoAs)
behaviors or actions suggest an attack that is happening or about to happen- IoAs are proactive
Indicators of Compromise (IoCs)
are evidence that a system may have been compromised- IoCs are reactive
CYBER KILL CHAIN
Is a framework developed by Lockheed Martin that explains how attackers move through networks to identify vulnerabilities that they can then exploit.
recon- weaponization-delievery-exploit-installation-commande and control(C2)- action on objectives
COMMON INDICATORS OF ATTACK (IoA)
Unusual network traffic- could be indicative of communication with a C&C server, data exfiltration or recon activity
Phishing emails- an increase in volume could be an indicator of an attack
Unusual system events- such as errors, warnings, crashes, account lockouts, missing system logs and anomalies in admin activity can be indicators of an attack
Unauthorized software- The presence of unauthorized software, files, or unapproved devices on a network can be an indicator of an attack
Artifacts
are evidence or clues
*Typical artifacts left behind by an attacker include new user accounts, file hashes, virus signatures, malicious files, command and control connections, modification of system and registry settings, evidence of data exfiltration, and patterns of suspicious behavior.
Malware
malicious software
*It is used by hackers, cybercriminals, hacktivists, and cyber terrorists to either steal information, harm, or disrupt operations, extort and or weaponize devices
rootkit
a type of malicious software designed to gain unauthorized access to a computer system and hide its presence, allowing an attacker to maintain control over the system without being detected.
types of rootkits
*Firmware- override the firmware BIOS so the rootkit can start before the OS.
*Bootkit- replaces the OS bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
*Kernel- replace the portion of the operating system kernel so the rootkit can start automatically when the OS loads.
*Driver- impersonates a trust driver that the os uses to communicate with the hardware ( addresses by UEFI and Driver attestation)
Stealth (malware technique)
is designed to be inconspicuous in order to avoid detection by concealing file size or moving to an alternate location
Memory resident (malware technique)
stays resident in memory upon execution and can infect other programs running at the same time.
Metamorphic (malware technique)
is rewritten with each iteration so that each succeeding version of the code is different from the preceding program
Polymorphic (malware technique)
evades pattern-matching detection by frequently changing identifiable characteristics like file name, type or encryption keys
Command and control (C2)
the objective for C2 is for the compromised system to contact the command center which gives the attacker control of the infected device
Advanced persistent threat (APT)
sophisticated, slow, stealthy and prolonged attack on a specific target with the intention to compromise their system and gain information from or about that target
Bot | Zombie
are automated processes that either have instructions embedded or listen for instructions
Ransomware
encrypts files and demands ransom for the decryption key
Bloatware
unwanted and potentially harmful software preloaded onto new devices. Also known as potentially unwanted application (PUAs)
backdoors
code embedded in an application by the developer, backdoors (bypass control)
logic bombs
code embedded in an application by the developer, executes when a certain event or time occurs
brute force
a hacking method where an attacker tries all possible combinations of passwords or encryption keys until they find the correct one, to gain unauthorized access to a system.
Work Factor
is the estimate of time, effort and resources needed by an adversary to succeed.
Conduct-BRUTE FORCE APPROACHES
the payload of the attack is the conduct of the attack itself- denial of service attack
Discovery -BRUTE FORCE APPROACHES
the payload of the attack is used to discover a hidden secret- discovering a password
Rainbow table-
uses a precomputed table of hashes to find the original plaintext- password cracking
intrusion prevention systems (IPS)
a security tool designed to detect and block malicious activities and attacks on a network or system in real-time
Information technology (IT) infrastructure attack
are primarily concerned with managing data and information assets
operational technology OT infrastructure attack
s focused on the use of hardware and software systems to monitor and control physical processes in industrial settings. For example, a manufacturing plant or transportation system.
CYBER ATTACK TERMS
- Targeted- Choose a target for a specific objective
- Opportunistic- the attacker takes advantage of a weak target
- Amplification- uses an amplification factor in order to multiply its power- use of botnets to launch DDoS attacks or spam campaigns.
- Reflection- sends a large number of requests to a device with the victim’s IP address as the source address. Often used with amplification attacks.
Spoofing
is impersonating an address, system or person- enables an attacker to act as the trusted source and redirect or manipulate actions
Poisoning
manipulating the trusted source of data- enables the attacker to control the trusted source of data and redirect or manipulate actions
Hijacking
intercepting communication between two or more systems- enables the attacker to eavesdrop, capture, manipulate, or reuse data packets.
Denial of service
overwhelming system resources- enables the attacker to make services unavailable for their intended use.
Distributed denial of service DDoS
massive volume of service requests from multiple sources, and often uses amplification and reflection techniques.
URL Squatting
registering or using an internet domain name belonging to someone else
Typosquatting
taking advantage of common typos to create fraudulent domain
Input validation
is the process of properly validating input from the client or environment
Output validation
is used to control what is returned to the screen
Injection- (application attack)
Tricks an app to include unintended commands in the data sent to an interpreter.
Cross-site scripting (XSS)
the injection of malicious code into a web application or back end database that will execute scripts in a victim browser. Can be persistent and reflective
Cross-site request forgery (CSRF)
trick a web browser into executing a malicious action on a trusted site for which the user is currently authenticated. CSRF exploits the trust that a site has in a user’s browser.
Directory Traversal
uses specially crafted input that includes …/ sequences to traverse a directory and access files or directories outside of the intended scope.
SQLi ATTACK
a type of cyber attack where an attacker inserts malicious SQL code into a query input to manipulate a database, potentially gaining unauthorized access to sensitive data or altering the database’s content and behavior.
WIRELESS ATTACK
The objective is the disruption, manipulation, or compromise of wireless transmission or devices
Sniffing-
Capturing wireless data packets. Enables an attacker to eavesdrop, manipulate or reuse data packets
Bluejacking
allows an attacker to send an unsolicited message to a bluetooth device
Bluesnarfing
discovering and connecting to a bluetooth device with weak or nonexistent authentication requirements.
NFC (near field communication) Bump
enables an NFC-enables attacker to connect to an NFC device by being in close enough range.
Evil twin (rogue access point w/ the same SSID)
allows an attacker to trick a user into connecting to an attacker-controlled network. May also impersonate a captive portal to capture credentials or payment info.
RFID cloning
allows the attacker to access a system, engage in credit card fraud, remove inventory, or whatever else the RFID chip is used for.
802.11
a set of standards for wireless networking (Wi-Fi) that defines how devices communicate over wireless networks
IV Attack
is a type of cryptographic attack that exploits weaknesses in the initialization vector
Jamming
overwhelming wireless frequencies with illegitimate traffic and the frequency becomes unavailable for legit traffic.
Dissociation
spoofing a disassociate message, which forces a device to reassociate, device is continually knocked offline, can be used as a precursor to an evil twin attack
cryptanalysis
The process of finding a cryptographic weakness
DOWNGRADE ATTACK
A type of attack on a system that forces degradation to a lower quality crypto mode. The attacker then exploits the lesser security control
SIDE CHANNEL ATTACK
Is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself.
Timing attack
exploits the fact that different computations take different times to compute on the processor. For example, if the encryption takes a longer time, it indicates that the secret key is long.
Dictionary
list of known keys are tested, common wordlists
Frequency analysis
analyzes patterns of frequencies in encrypted messages to deduce info about the underlying plaintext or key used to encrypt the message.
Birthday
exploits the mathematics behind the birthday problem is probability theory to cause a collision
Pass-the-hash
attackers can use captured hashed credentials from one machine to successfully gain control of another machine
Survivability
a system property (the ability to prevent, mitigate, and recover from cyber events)
open design
the security mechanism should not depend upon the security of the design or implementation. the argument against “security through obscurity”
default deny
is a security policy where all access is denied by default, and only explicitly allowed traffic or actions are permitted.
sanitization
the process of cleaning or modifying input data to remove or neutralize potentially harmful elements, ensuring it is safe for processing and preventing security vulnerabilities like SQL injection or cross-site scripting (XSS).
zero trust
no default trust or privilege. verification is required for access
least functionality
a security principle that dictates systems should be configured to provide only the minimum functions necessary for their intended purpose, reducing the risk of exploitation by limiting potential attack surfaces.
separation of deuties
breaking a task into segments so that no one subject is in complete control or has complete decision-making power.
least privilege
giving a subject only rights and permissions needed to complete assigned tasks
psychological acceptance
human interface should be designed for ease of use so that users routinely and automatically apply the protection mechanisms correctly.
Segmenting
an enterprise into security zones is useful for creating and enforcing security policies, controlling information flow, and securing network access.
Security zone
are divisions of a network based on functional, performance, and or security requirements. They are enforced by firewall ingress and egress(incoming) access control lists (ACL) rules
Untrusted
is one where the organization has no control over the internet
Screened subnet
has connections to both trusted and untrusted networks
Trusted
is one that the organization has complete control over.
Enclave
a restricted network within a trusted network - database servers
Air gapped
does not connect to any untrusted network
Micro-segmentation
a method of creating zones within data centers and cloud environments to isolate workloads from one another and secure them individually.
East-West-North-South traffic
north-south is the traffic that flows into and out of data centers or clouds, and east-west is the traffic within a data center or cloud.
Protect Surface
made up of the network’s most critical and valuable data, assets, applications, and servers (DAAS). It’s always knowable
Virtualization
creates multiple environments from a single physical hardware system- virtual machines provide fault and security isolation at the hardware level including memory and CPU access.
